Failed to renew certificat

I’m trying to renew my certificate using the command /etc/certbot-auto renew
Unfortunately, the renewal failed with an error by Waiting for verification…
Challenge failed for domain jeedom-roudaer2.spdns.eu
http-01 challenge for jeedom-roudaer2.spdns.eu

Web server is Apache 2
Any idea of the root cause of this issue ?
Many thanks in advance for support


Processing /etc/letsencrypt/renewal/jeedom-roudaer2.spdns.eu.conf


Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for jeedom-roudaer2.spdns.eu
Enabled Apache rewrite module
Waiting for verification…
Challenge failed for domain jeedom-roudaer2.spdns.eu
http-01 challenge for jeedom-roudaer2.spdns.eu
Cleaning up challenges
Attempting to renew cert (jeedom-roudaer2.spdns.eu) from /etc/letsencrypt/renewal/jeedom-roudaer2.spdns.eu.conf produced an unexpected error: Some challenges have failed… Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/jeedom-roudaer2.spdns.eu/fullchain.pem (failure)


All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/jeedom-roudaer2.spdns.eu/fullchain.pem (failure)


1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: jeedom-roudaer2.spdns.eu
    Type: connection
    Detail: Fetching
    http://jeedom-roudaer2.spdns.eu/.well-known/acme-challenge/AEZC2mGGO77qkOzHwgs0f90j7jVga-53kbVb5bleNP8:
    Timeout during connect (likely firewall problem)

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify

Hi @roudaer2

if you want to use http-01 challenge, an open port 80 is required.

But your port 80 / http doesn't answer ( https://check-your-website.server-daten.de/?q=jeedom-roudaer2.spdns.eu ):

Domainname Http-Status redirect Sec. G
http://jeedom-roudaer2.spdns.eu/
77.204.127.136 -14 10.030 T
Timeout - The operation has timed out
https://jeedom-roudaer2.spdns.eu/
77.204.127.136 302 Jeedom 3.560 B
Jeedom 200 3.400 B
http://jeedom-roudaer2.spdns.eu/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
77.204.127.136 -14 10.014 T
Timeout - The operation has timed out
Visible Content:

Only timeouts.

So:

Fatal: Check of /.well-known/acme-challenge/random-filename has a timeout. Creating a Letsencrypt certificate via http-01 challenge can't work. You need a running webserver (http) and an open port 80. If it's a home server + ipv4, perhaps a correct port forwarding port 80 extern ⇒ working port intern is required. Port 80 / http can redirect to another domain port 80 or port 443, but not other ports. If it's a home server, perhaps your ISP blocks port 80. Then you may use the dns-01 challenge.

1 Like

Hi Juergen,
Many thanks for the tip. After having opened the port 80, I’ve been able to renew my certifictae.
Is there another way to renew a certificate for instance using SSL port 443 ?

Cheers

Eric Roudart

Check

dns-01 and alpn-01 are possible.

But if you have a website, port 80 should be open.

With a redirect http -> https.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.